Anyone ever get Macsec towards Azure up and running? We have a IOS-XE-switch, and followed the configuration guide for Macsec with PSK here: https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/62x/b-system-security-cg-ncs5500-62x/b-system-security-cg-ncs5500-62x_chapter_0101.html#concept_gjz_ysl_vcb
The second we enable "macsec network-link" toward azure, the line-protocol goes down, and show mka summary says the link is in Init-mode. Nothing happens after that, and can see no packets from the other end with debugs. Problem is Microsoft Azure-guys have had a look, and everything looks good on their end. Ideas?
I'm a bit of a novice at cloud connectivity but who/how are you getting connectivity into Azure? Are you peering with them directly or via. some third party like Megaport?
Microsoft offers a direct connection called Expressroute Direct, and on that type of connection you can get macsec. Just not quite sure how to troubleshoot this when i dont have control of the other end. Cant see anything in the logs relating to wrong PSK or anything like that, what else can i do on my end to troubleshoot?
So with this you get a direct circuit to Azure like they physically give you a cable/handoff? So it's L1 all the way to their service?
Not yet, still an ongoing case with ms-support. They seem to have found some issues on their end, but were not rocking macsec yet :( Ill update as soon as we get a cause.
So this is a WAN Macsec implementation then? Is that supported in MS with the 802.1Q header in the clear, or have i misunderstood your setup?